How victims of EnergySchool’s knowledge breach helped one another examine ‘huge’ hack

On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool notifying her that the school she works at was one of the victims of a data breach that the company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a trove of students’ and teachers’ private information, including Social Security numbers, medical information, grades, and other personal data from schools all over the world. 

Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools — some 18,000 schools and more than 60 million students — in North America, the impact could be “massive,” as one tech worker at an affected school told TechCrunch. Sources at school districts impacted by the incident told TechCrunch that hackers accessed “all” their student and teacher historical data stored in their PowerSchool-provided systems. 

Backus works at the American School of Dubai, where she manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data, like grades, attendance, enrollment, and also more sensitive information such as student Social Security numbers and medical records. 

The next morning after getting the email from PowerSchool, Backus said she went to see her manager, triggered the school’s protocols to handle data breaches, and started investigating the breach to understand exactly what the hackers stole from her school, since PowerSchool didn’t provide any details related to her school in its disclosure email. 

“I started digging because I wanted to know more,” Backus told TechCrunch. “Just telling me that, okay, we’ve been affected. Great. Well, what’s been taken? When was it taken? How bad is it?” 

“They weren’t ready to provide us with any of the concrete information that customers needed in order to do our own diligence,” said Backus.

Soon after, Backus realized that other administrators at schools that use PowerSchool were trying to find the same answers. 

“Some of it had to do with the confusing and inconsistent communication that came from PowerSchool,” according to one of the half-dozen school workers who spoke with TechCrunch on condition that neither they, nor their school district, be named.

“To [PowerSchool]’s credit, they actually alerted their customers very quickly about it, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, downright confusing at best,” the person said.

In the early hours after PowerSchool’s notification, schools were scrambling to figure out the extent of the breach, or even if they had been breached at all. The email listservs of PowerSchool customers, where they customarily share information with each other, “exploded,” as Adam Larsen, the assistant superintendent for Community Unit School District 220 in Oregon, Illinois, put it to TechCrunch. 

The community quickly realized they were on their own. “We need our friends to act quickly because they can’t really trust PowerSchool’s information right now,” said Larsen. 

“There was a lot of panic and not reading what has been shared already, and then asking the same questions over and over again,” said Backus.

Thanks to her own skills and knowledge of the system, Backus said she was able to quickly figure out what data was compromised at her school, and started comparing notes with other workers from other affected schools. When she realized there was a pattern to the breach, and suspecting it may be the same for others, Backus decided to put together a how-to guide with details, such as the specific IP address that the hackers used to breach schools, and steps to take to investigate the incident and determine whether a system had been breached, along with what specific data was stolen.

At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said she sent a shared Google Doc on WhatsApp in group chats with other PowerSchool administrators based in Europe and across the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said she posted it on the PowerSchool User Group, a non-official support forum for PowerSchool users that has more than 5,000 members.

Since then, the document has been updated regularly and grown to nearly 2,000 words, effectively going viral inside the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a Bit.ly shortlink that allows her to see how many people clicked the link. Several people publicly shared the document’s full web address on Reddit and other closed groups, so it’s likely many more have seen the document. At the time of writing, there were around 30 viewers on the document. 

On the same day Backus shared her document, Larsen published an open source set of tools, as well as a how-to video, with the goal of helping others. 

Backus’ document and Larsen’s tools are an example of how the community of workers at schools that were hacked — and those that were actually not hacked but were still notified by PowerSchool — rallied to support each other. School workers have had to resort to helping each other out and responding to the breach in a crowdsourced manner fueled by solidarity and necessity because of the slow and incomplete response from PowerSchool, according to the half-dozen workers at affected schools who participated in the community effort and spoke about their experiences with TechCrunch. 

Several other school workers supported each other in several Reddit threads. Some of them were published on the K-12 systems administrators’ subreddit, where users have to be vetted and verified to be able to post. 

Doug Levin, the co-founder and national director of a nonprofit that helps schools with cybersecurity, the K12 Security Information eXchange (K12 SIX), which published its own FAQ about the PowerSchool hack, told TechCrunch that this kind of open collaboration is common in the community, but “the PowerSchool incident is of such a large scope that it is more evident.” 

“The sector itself is quite large and diverse — and, in general, we have not yet established the information sharing infrastructure that exists in other sectors for cybersecurity incidents,” said Levin. 

Levin underscored the fact that the education sector has to rely on open collaboration through more informal, sometimes public channels often because schools are generally understaffed in terms of IT workers, and lack specialist cybersecurity expertise.

Another school worker told TechCrunch that “for so many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents and we have to band together.”

When reached for comment, PowerSchool’s spokesperson Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community that is dedicated to sharing information and helping each other. We are grateful for our customers’ patience and sincerely thank those who jumped in to help their peers by sharing information. We will continue to do the same.”

Additional reporting by Carly Page.